I have read this article but still has some doubts may be after that...

The Windows Firewall feature in Microsoft Windows XP Service Pack 2
(SP 2) accepts a three-second unicast response from any source
address. This response is not subject to any filtering. This response
must be received on the same port that Windows XP SP2 used to
broadcast the original multicast or broadcast message.

This feature enables programs and services that use multicast and
broadcast messages to work correctly.

Note This change does not apply to the IPv6 firewall.

I work with firewalls for many years but so far I have not read this concept. and can't describe it for studenst in my class in details.

Is this normal behaviour for firewalls, and what is the reasoning behind it?

1 Answer
1

This is not normal for firewalls, although it is almost like a stateful firewall policy, at least in spirit.

Multicast applications in 2004 (the time when SP2 was released) had many latency issues and various networking 'helps' were put in place to make the experience smoother. I suspect that MS added this 'feature' to assist online multimedia.